Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

One trader can revert the entire offChainOrder to cause DOS

sancybars

Summary

`offChainOrder` are executed in batches, combinations of all offChainOrders in an array. However the function is only called by the `onlyOffchainOrdersKeeper` a malicious trader can cause a revert to make all offChainOrders fail.

Vulnerability Details

function fillOffchainOrders(
uint128 marketId,
OffchainOrder.Data[] calldata offchainOrders,
bytes calldata priceData
)
external
onlyOffchainOrdersKeeper(marketId)
{

When iterating through the orders it checks if the any `sizeDelta` of the order is zero and reverts the transaction

for (uint256 i; i < offchainOrders.length; i++) {
ctx.offchainOrder = offchainOrders[i];
// enforce size > 0
if (ctx.offchainOrder.sizeDelta == 0) {
revert Errors.ZeroInput("offchainOrder.sizeDelta");
}

A malicious trader can create an off chain order with zero `sizeDelta ` to make all orders revert denying trader ability trade offChain

struct Data {
uint128 tradingAccountId;
uint128 marketId;
int128 sizeDelta;
uint128 targetPrice;
bool shouldIncreaseNonce;
uint120 nonce;
bytes32 salt;
uint8 v;
bytes32 r;
bytes32 s;
}

Impact

A malicious trader can deny any offChainOrders from executing

Tools Used

Manual Review

Recommendations

Skip orders with zero \`sizeDelta\` instead of reverting this will ensure legit trades get executed

for (uint256 i; i < offchainOrders.length; i++) {
OffchainOrder.Data memory offchainOrder = offchainOrders[i];
// Skip orders with zero sizeDelta
if (offchainOrder.sizeDelta == 0) {
continue;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.